BPNBAT

Section: NetBackup Commands (1M)
Updated: 2015-03-05
Index
 

NAME

bpnbat - perform Authentication tasks from within NetBackup  

SYNOPSIS

bpnbat [-AddDomain | -RemoveDomain] Private_Domain

bpnbat [-AddMachine]

bpnbat [-AddUser | -RemoveUser] Name Private_Domain

bpnbat -Execute [-cf credential_file] command

bpnbat -GetBrokerCert Broker_Name Broker_Port

bpnbat -Login [-Info answer_file] [-cf credential_file]

bpnbat -LoginMachine

bpnbat -Logout [-cf credential_file]

bpnbat -RemoveBrokerCert server.name.com

bpnbat -RenewCred [-cf credential_file]

bpnbat -ShowBrokerCerts

bpnbat -ShowMachines

bpnbat -Version

bpnbat -WhoAmI [-cf credential_file] [-Verify]

On UNIX systems, the directory path to this command is /usr/openv/netbackup/bin/

On Windows systems, the directory path to this command is <install_path>\NetBackup\bin\  

DESCRIPTION

The bpnbat command is a tool that enables a user to use the Veritas Product Authentication and Authorization Service.

This service contains the following two distinct parts:

Authentication - prove who you are
Authorization - check what you can do

bpnbat enables a user to do authentication tasks from within NetBackup.

If a command needs a password, it doesn't echo the password or asterisks, which someone can use to narrow the password search space significantly.

NetBackup Access Control requires the user's home directories to work correctly.

You must have administrator privileges to run the following command options: -AddDomain, -RemoveDomain, -AddMachine, -AddUser, -RemoveUser, -LoginMachine, and -ShowMachines.  

OPTIONS

[-AddDomain | -RemoveDomain] Private_Domain
These options enable an administrator that runs locally on an Authentication server to add or remove domains within the private Veritas Domain Database. These domains are not accessible from within any operating system. They are meaningful only within Veritas Product Authentication and Authorization Service. Use them where a centralized naming authority (such as a PDC/AD or NIS domain) is not available.
-AddMachine
Registers a machine in a private Veritas Product Authentication. The identity is placed in the private domain NBU_Machines@<at.server.name>. Run this option on your authentication broker (root +ab).
[-AddUser | -RemoveUser] Private_Domain
Enables an administrator that runs locally on an Authentication server to add or remove users from domains in the private Veritas Domain Database. These accounts are meaningful only within Veritas Product Authentication and Authorization Service. Use them when a centralized naming authority (such as PDC/AD or NIS domain) is not available.
-Execute [-cf credential_file] command
Executes the specified command with credential file -cf read from disk.
-GetBrokerCert
Obtains a broker certificate without authenticating to a broker.
-Login [-Info answer_file] [-cf credential_file]
Identifies yourself to the system. When you run this command with no options, you are prompted to enter a name, password, domain, authentication type, and a server to authenticate. The combination of a name, password, domain, and domain type creates a unique identity within an Enterprise-wide network. The first time a broker is contacted, you are asked if you want to trust that broker and authenticate them. You cannot use an untrusted broker.

The -Info option lets you take the name, password, and domain information from an answer_file, and place the certificate in credential_file (if specified) or the default location. You can create an answer text file, so that you don't have to manually type the user name and password for logon.

Warning: Storing the user name and password in a plain text file is a potential security issue. Unauthorized users with read access to the text file can obtain the user name and password for the Veritas Product Authentication and Authorization Service to manually authenticate with the bpnbat command. Ensure that no unauthorized users can access the answer text file. The answer file must contain the following four lines:

<domain type>
<domain>
<username>
<password>
Where <domain type> is one of the following values:

NIS 
NIS+ 
NT 
vx 
unixpwd
If you use an answer file, ensure that the appropriate AUTHENTICATION_DOMAIN is configured on the server. See the NetBackup Security and Encryption Guide.
-LoginMachine
Identifies a machine that uses an account within the Veritas Security Subsystem private domain NBU_Machines@<at.server.name>. Run this option on your NetBackup Media, Master, and Clients. This option is similar to when you log in as a user to an authentication broker.
-Logout [-cf credential_file]
Invalidates the current user credentials that require the user to log on again to continue. Without the -cf option, the credential that is stored at the default location is expired. The -cf option points to the actual credential file, which allows a user to explicitly specify the credential to be expired.
-RemoveBrokerCert server.name.com
Removes a trust of a specified authentication broker for all users except the root user (administrator). You can use this command to remove a broker when you no longer trust it. For example, an authentication broker is moved to a different corporate division.
-RenewCred [-cf credential_file]
Renews the current user credentials from the VxSS store or the credential file that is specified by the -cf option.
-ShowBrokerCerts
Lists all of the brokers that the user currently trusts. NetBackup trusts any broker that is listed to handle the authentication requests that are sent to it.
-ShowMachines
Lists all computers that have been added to the computers domain of a private Veritas Security Subsystem database by using the -AddMachines option. It also shows if DNS fully resolved the computer name. Run this option on your authentication broker (root +ab).
-Version
Retrieves the version of the executable.
-WhoAmI [-cf credential_file] [-Verify]

Specifies the identity you currently use within Veritas Product Authentication and Authorization Service. It lists the following:

Your name
Domain
The authenticating broker who issued the credential
The time a certificate expires
The domain type that was used when the credential was created
 

EXAMPLES

Example 1 - The user uses -Login and the default port number to connect to the authentication broker that is called test.domain.veritas.com. (It is the server that handles the Authentication process.) An NIS account is used. Therefore, a domain name that is associated with the NIS account is provided in addition to a user and password.

# bpnbat -Login
Authentication Broker: test.domain.veritas.com
Authentication port[ Enter = default]:
Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd): NIS
Domain: domain.veritas.com
Name: username
Password: 
You do not currently trust the server: test.domain.veritas.com, do 
you wish to trust it? (y/n): y
Operation completed successfully.

Example 2 - The -WhoAmI option verifies the identity that you currently use within the Veritas Product Authentication and Authorization Service.

# bpnbat -WhoAmI
Name: user name
Domain: domain.veritas.com
Issued by: /CN=broker/OU=root@eek.example.com/O=vx
Expiry Date: Oct 27 20:57:43 2009 GMT
Authentication method: NIS
Operation completed successfully.

Example 3 - Add a computer to the computer identities list:

# bpnbat -AddMachine
Machine Name: auto.domain.veritas.com
Password: 
Operation completed successfully.

Next, it shows the computer identities list:

# bpnbat -ShowMachines
auto.domain.veritas.com
Operation completed successfully

Then it logs on a computer to a specified authentication broker:

# bpnbat -LoginMachine
Does this machine use Dynamic Host Configuration Protocol (DHCP)? 
(y/n) n
Authentication Broker: test.domain.veritas.com
Authentication port[ Enter = default]: 
Name: auto.domain.veritas.com
Password: 
Operation completed successfully.

Finally, you log into a computer to a specified authentication broker and a problem occurs:

If the user has a multi-NIC configuration or types the broker name incorrectly, a second prompt appears. It gives the user a second chance to enter the proper broker name. The following example assumes sleemanNB is a private NIC name. The public NIC name that Veritas Product Authentication and Authorization Service uses to build the authentication domain is sleeman.example.com. If a failure occurs using -loginmachine, the user has a second chance to enter an explicit primary hostname for the authentication broker. (Failures include a bad computer name, wrong password, or incorrect broker name.) Refer to the following example:

# bpnbat -LoginMachine
Does this machine use Dynamic Host Configuration Protocol (DHCP)? 
(y/n) n
Authentication Broker: sleemanNB
Authentication port[ Enter = default]: 
Machine Name: challenger
Password: 
Primary host name of broker: sleeman.example.com
Operation completed successfully.

Example 4 - Obtain a broker certificate without authenticating to a broker. It expects a broker (test.domain.veritas.com) and a port (0 for default)

# bpnbat -GetBrokerCert test.domain.veritas.com 0
Operation completed successfully.

Example 5 - Lists all the brokers that the user currently trusts

# bpnbat -ShowBrokerCerts
Name: root
Domain: root@test.domain.veritas.com
Issued by: /CN=root/OU=root@test.domain.veritas.com/O=vx
Expiry Date: Jun 12 20:45:19 2006 GMT
Authentication method: Veritas Private Security

Name: root
Domain: root@auto.domain.veritas.com
Issued by: /CN=root/OU=root@auto.domain.veritas.com/O=vx
Expiry Date: Feb 17 19:05:39 2006 GMT
Authentication method: Veritas Private Security
Operation completed successfully.

Example 6 - The -RemoveBrokerCert option removes a broker when the user no longer wants to trust it. In the following example, an authentication broker is moved to a different corporate division.

# bpnbat -RemoveBrokerCert test.domain.veritas.com
Operation completed successfully.

The user can now use the -ShowBrokerCerts option to display current certificates. The previously removed certificate is no longer displayed.

Example 7 -Show how to use an answer file to supply logon information for automated commands (cron, etc.).

For UNIX: The UNIX NIS domain name is location.example.com, the user name in this domain is bgrable, and the password is hello456. The corresponding answer file for bpnbat -login must contain the following four lines:

NIS
location.example.com 
bgrable
hello456

If the answer file is located in /docs and is called login.txt, the bpnbat command executes as follows:

# bpnbat -login -info /docs/vslogin.txt

After the bpnbat -login command is run, commands like bpbackup can be run without authentication errors.

For Windows: The windows domain name is corporate, the user name in this domain is jsmith, and the user password is hello123. The corresponding answer file for bpnbat -login has to contain the following four lines:

NT
corporate 
jsmith
hello123

If the answer file is located in /docs and is called login.txt, the bpnbat command executes as follows:

# bpnbat -login -info c:\docs\vslogin.txt

After the bpnbat -login command is run, commands like bpbackup can be run without authentication errors.  

SEE ALSO

bpnbaz


 

Index

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
EXAMPLES
SEE ALSO